Mercurial > p > roundup > code

annotate doc/security-history.txt @ 8575:b1024bf0d9f7

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
feature: add nonceless/tokenless CSRF protection Add tokenless CSRF protection following: https://words.filippo.io/csrf/ Must be enabled using use_tokenless_csrf_protection in config.ini. By default it's off. If enabled the older csrf_* settings are ignored. The allowed_api_origins setting is still used for Origin comparisons. This should also improve performance as a nonce isn't required so generating random nonce and saving it to the otks database is eliminated. doc/admin_guide.txt, doc/reference.txt doc/upgrading.txt doc updates. roundup/configuration.py add use_tokenless_csrf_protection setting. move allowed_api_origins directly after use_tokenless_csrf_protection and before the older csrf_* settings. It's used by both of them. Rewrite description of allowed_api_origins as its applied to all URLs with tokenless protection, not just API URLs. roundup/anypy/urllib_.py import urlsplit, it is used in new code. urlparse() is less efficient and splits params out of the path component. Since Roundup doesn't require that params be split from the path. I expect future patch will replace urlparse() with urlsplit() globally and not need urlparse(). roundup/cgi/client.py add handle_csrf_tokenless() and call from handle_csrf() if use_tokenless_csrf_protection is enabled. refactor code that expires csrf tokens when used with the wrong methods (i.e. GET) into expire_exposed_keys(). Call same from handle_csrf and handle_csrf_tokenless. Also improve logging if this happens including both Referer and Origin headers if available. Arguably we dont care about CSRF tokens exposed via GET/HEAD/OPTIONS in the tokenless case, but this cleans them up in case the admin has to switch back. At some future date we can delete all the nonce based CSRF from 2018. Update handle_csrf() docstring about calling/returning handle_csrf_tokenless() when enabled. Call expire_exposed_keys(method) if token is supplied with wrong method. roundup/cgi/templating.py disable nonce generation/save and always return "0" when use_tokenless_csrf_protection enabled.
author John Rouillard <rouilj@ieee.org>
date Sun, 19 Apr 2026 20:50:07 -0400
parents 485cecfba982
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
7092
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents: 7091
diff changeset
1 .. meta::
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents: 7091
diff changeset
2 :description:
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents: 7091
diff changeset
3 Security mechanism implementation document for historical purposes.
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents: 7091
diff changeset
4
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents: 7091
diff changeset
5 :orphan:
1836e0ef7751 Add new security.txt
John Rouillard <rouilj@ieee.org>
parents: 7091
diff changeset
6
7322
485cecfba982 Simplify TOC; older docs pushed a level down; Consolidate debugging
John Rouillard <rouilj@ieee.org>
parents: 7092
diff changeset
7 =============================
485cecfba982 Simplify TOC; older docs pushed a level down; Consolidate debugging
John Rouillard <rouilj@ieee.org>
parents: 7092
diff changeset
8 Old Security Mechanisms Notes
485cecfba982 Simplify TOC; older docs pushed a level down; Consolidate debugging
John Rouillard <rouilj@ieee.org>
parents: 7092
diff changeset
9 =============================
3940
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
10
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
11 Current situation
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
12 =================
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
13
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
14 Current logical controls:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
15
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
16 ANONYMOUS_ACCESS = 'deny'
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
17 Deny or allow anonymous access to the web interface
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
18 ANONYMOUS_REGISTER = 'deny'
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
19 Deny or allow anonymous users to register through the web interface
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
20 ANONYMOUS_REGISTER_MAIL = 'deny'
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
21 Deny or allow anonymous users to register through the mail interface
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
22
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
23 Current user interface authentication and controls:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
24
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
25 - command-line tool access controlled with passwords, but no logical controls
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
26 - CGI access is by username and password and has some logical controls
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
27 - mailgw access is through identification using sender email address, with
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
28 limited functionality available
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
29
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
30 The web interface implements has specific logical controls,
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
31 preventing non-admin users from accessing:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
32
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
33 - other user's details pages
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
34 - listing the base classes (not issues or their user page)
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
35 - editing base classes
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
36
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
37 Issues
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
38 ======
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
39
4732
8ee41c7372e7 doc: Fix some Sphinx warnings.
anatoly techtonik <techtonik@gmail.com>
parents: 4567
diff changeset
40 1. The current implementation is ad-hoc, and not complete for all use cases.
3940
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
41 2. Currently it is not possible to allow submission of issues through email
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
42 but restrict those users from accessing the web interface.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
43 3. Only one user may perform admin functions.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
44 4. There is no verification of users in the mail gateway by any means other
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
45 than the From address. Support for strong identification through digital
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
46 signatures should be added.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
47 5. The command-line tool has no logical controls.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
48 6. The anonymous control needs revising - there should only be one way to be
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
49 an anonymous user, not two (currently there is user==None and
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
50 user=='anonymous').
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
51
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
52
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
53 Possible approaches
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
54 ===================
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
55
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
56 Security controls in Roundup could be approached in three ways:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
57
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
58 1) at the hyperdb level, with read/write/modify permissions on classes, items
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
59 and item properties for all or specific transitions.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
60 2) at the user interface level, with access permissions on CGI interface
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
61 methods, mailgw methods, roundup-admin methods, and so on.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
62 3) at a logical permission level, checked as needed.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
63
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
64 In all cases, the security built into roundup assumes restricted access to the
4567
32b24abfe98e Documentation polishing.
Eric S. Raymond <esr@thyrsus.com>
parents: 4557
diff changeset
65 hyperdatabase itself, through operating-system controls such as user or group
3940
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
66 permissions.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
67
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
68
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
69 Hyperdb-level control
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
70 ---------------------
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
71
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
72 Control is implemented at the Class.get, Class.set and Class.create level. All
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
73 other methods must access items through these methods. Since all accesses go
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
74 through the database, we can implement deny by default.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
75
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
76 Pros:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
77
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
78 - easier to implement as it only affects one module
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
79 - smaller number of permissions to worry about
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
80
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
81 Cons:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
82
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
83 - harder to determine the relationship between user interaction and hyperdb
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
84 permission.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
85 - a lot of work to define
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
86 - must special-case to handle by-item permissions (editing user details,
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
87 having private messages)
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
88
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
89
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
90 User-interface control
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
91 ----------------------
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
92
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
93 The user interfaces would have an extra layer between that which
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
94 parses the request to determine action and the action method. This layer
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
95 controls access. Since it is possible to require methods be registered
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
96 with the security mechanisms to be accessed by the user, deny by default
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
97 is possible.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
98
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
99 Pros:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
100
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
101 - much more obvious at the user level what the controls are
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
102
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
103 Cons:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
104
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
105 - much more work to implement
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
106 - most user interfaces have multiple uses which can't be covered by a
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
107 single permission
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
108
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
109 Logical control
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
110 ---------------
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
111
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
112 At each point that requires an action to be performed, the security mechanisms
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
113 are asked if the current user has permission. Since code must call the
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
114 check function to raise a denial, there is no possibility to have automatic
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
115 default of deny in this situation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
116
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
117 Pros:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
118
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
119 - quite obvious what is going on
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
120 - is very similar to the current system
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
121
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
122 Cons:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
123
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
124 - large number of possible permissions that may be defined, possibly
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
125 mirroring actual user interface controls.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
126 - access to the hyperdb must be strictly controlled through program code
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
127 that implements the logical controls.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
128
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
129
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
130 Action
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
131 ======
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
132
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
133 The CGI interface must be changed to:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
134
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
135 - authenticate over a secure connection
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
136 - use unique tokens as a result of authentication, rather than pass the user's
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
137 real credentials (username/password) around for each request (this means
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
138 sessions and hence a session database)
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
139 - use the new logical control mechanisms
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
140
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
141 - implement the permission module
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
142 - implement a Role editing interface for users
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
143 - implement htmltemplate tests on permissions
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
144 - switch all code over from using config vars for permission checks to using
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
145 permissions
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
146 - change all explicit admin user checks for Role checks
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
147 - include config vars for initial Roles for anonymous web, new web and new
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
148 email users
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
149
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
150 The mail gateway must be changed to:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
151
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
152 - use digital signatures
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
153 - use the new logical control mechanisms
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
154
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
155 - switch all code over from using config vars for permission checks to using
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
156 permissions
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
157
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
158 The command-line tool must be changed to:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
159
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
160 - use the new logical control mechanisms (only allowing write
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
161 access by admin users, and read-only by everyone else)
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
162
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
163
Roundup Issue Tracker: http://roundup-tracker.org/